Claude Code <=v2.0.65 Exfil: Repos Leak Anthropic Keys before Trust Prompt
CVE-2026-21852 Published on January 21, 2026
Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2026-21852
Want to know whenever a new CVE is published for Anthropic Claude Code? stack.watch will email you.
Affected Versions
anthropics claude-code Version < 2.0.65 is affected by CVE-2026-21852Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.